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“Plans are nothing; 
planning is everything.” 
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= Anti-Patterns: 
e No security plan 
e Expecting “perfect” security 
e Unrealistic security assumptions 


= Plan for security: Why, What, How 


Why is security important to your system? 
— Which aspects matter; which don't? 

What types of attacks do you expect? 

— Which attackers present the most risk 

How can you mitigate the risk? 

— How do you know you succeeded? 





Elements of a 
Security Plan 


e Requirements 
e Threats 


e Vulnerabilities 


e Mitigation 


e Validation 
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gy comect sng University 
sp or vendors m Wake-up call to US credit card system 
weet e Credit card skim at Point of Sale Terminals 


— Personal info (PII) also stolen from database 
me e S$150M - $300+M costs to Target 


@ Creat w adm 
5 stolen token — Additional costs bank write-off costs 
“sing new somin © e Accelerated move to chip security in US 
e Ultimately, cost CEO of Target his job 
229 ee = Complex attack 
08 , ale e Many steps, 3 month timeframe 
cine e Generated multiple security alerts 
ai © " GB of data, 40M credit cards, 70M other PII 
http://www.zdnet.com/article/the-target-breach-two-years-later/ 
@ Send stolen - https: Meee .commerce.senate.gov/public/_cache/files/24d3c229-4f2f-405d-b8db- 
data vie FTP s/c bar ties a3a67f183883/23E30AA955B5COOFES7CFD709621592C.2014-0325-target-kill-chain-analysis.pd 
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https://aroundcyber.files.wordpress.com/2014/09/aorato-target-report.pdf 
Attacker-controlled aorato-target-report.pdf 
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Security Requirements: Why Secure? Mella 
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Security: Protecting against unauthorized access, mee ~S\ %. 
use, disclosure, disruption, modification, and destruction fF | Shoe So »,}) ). 





[http://csrc.nist.gov/drivers/documents/FISMA-final.pdf] os F ‘ . iA 
=> ("CIA” properties) = < 
Confidentiality: is information released? — ae Sas iF 


e Information is kept secret (Secrecy) =» Encryption 

e Activities can’t be associated with an individual or other entity (Privacy) 

Integrity: have changes been made? 

e Unauthorized data alteration or destruction is detected or prevented (Data Integrity) 

e Changes to system state made by authorized entities (Authentication; Non-Repudiation) 
Availability: is tt working? 

e Services are available when requested in a timely manner (opposite is Denial of Service) 


Which of these are most important to you? 


e Often Data Integrity matters more than Secrecy 
© 2020 Philip Koopman 4 


Carnegie 


Mellon 


Threats: What Types Of Attacks? Ltt 





PLC DCS SCADA IED 
A system for remote monitoring A microprocessor-based controllers ie) Wh O e 


A discrete digital computer _—A hierarchical control system 
used for automation of with distributed elements and control of infrastructure, device forcontrolling power system 
typically over slow speed, long equipment, such as circuit breakers, 
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typically industrial across a facility via 
electromechanical processes communications technologies distance communication channels _ transformers and capacitor banks. ® 
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MANUFACTURING 


Insider 


= Motivation: $S$S$$(?) 
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RANSOMWARE REMOTE ACCESS MALICIOUS SUPPLY CHAIN DESTRUCTIVE @ 
TOOL INSIDER COMPROMISE MALWARE u rve a n ce 
Threat actor locks control Threat actor sends Insider removes /®mpromise of supply Malware alters parameters ° : 
of crane, trapping commands, destroyi over-speed protection chain results in on a semi-submersible rigs e Den I al of Service 
operator; unions halt sensitive equipment on turbine causing roduction of defective station keeping system 
ork until cranes are safe significant damage batch of medication Causing collision ® R ra) n S O m 
Operational halt Loss of capital Diminished DoJ initiates criminal Damage to rig 
investment generation capacity investigation and reputation @ F ame & N oto ri ety 
>: 
INCIDENT COUNT (FY) 257 245 
e Just for the lulz 
[40 ATTACKS ON ICS CAN CUT DEEP INTO YOUR BOTTOM LINE 
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Vulnerabilities: Weaknesses & Tactics eke 


= Back door 

e e.g. Not-so-secret factory password 
Brute Force 

e Dictionary of common passwords 

e Crash due to exceptional inputs e Random parameters to see what breaks 


e Executing input as a command (SQL) Phishing 


= Improper Authentication e Trick victim into installing malware 
e Trick victim into revealing info 


Worms that self-propagate 

e USB flash drive infections 

Be Trojan Horse 

2 e e.g., Fake software update 
Side Channel 


e Power consumption reveals secret keys 








m Resource management 

e Buffer overflow 

e Garbage collection; timeouts 
= Improper input validation 





e Bad configuration; information exposure 

e Delayed message playback 

e Man-in-the-middle attacks 
m Bad Cryptography 

e Weak algorithms 

e Non-random keys 

e Insecure protocols 
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_ Mitigation: Good Security Design Mellon 


Pay attention to resource management 
e Especially, avoid buffer overflows 


Validate all inputs Store to wv 
e Check size & data validit 
. addr[100] 


Ensure authentication is done properly 
e No master password! 
e Configuration, permissions 


-High Addresses 











Use strong crypto & proven protocols ad 
e lf you write it yourself, probably it’s broken this way 
e Principle of Least Privilege (don’t run as root) 
Secure boot C\ 
e Authenticate updates 
e ZL 





Avoid “security via obscurity” - 2 
e Proprietary network protocols are NOT secure http://goo.gl/2ta7Qv 
e Rely primarily on a unique, per-system crypto key © 2020 Philip Koopman 7 
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Validation: How Do You Know Youre Secure? Vege biiy 





m Check code quality 
e Buggy code is probably insecure 
e Static analysis, stack checker tool, dynamic checkers 


e Peer reviews (e.g., follow Cert C 98 Coding Standard) 
— http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1255.pdf 


= Penetration testing 
e Mostly helps deal with known exploits 
= Penetration analysis 
e Hire a ‘red team’ to attempt to penetrate system 
= Plan to be imperfect 
e What if assumptions are violated (e.g., customer firewall) 


e Defense in depth 
e Plan for security patches (on-line updates are a vulnerability too!) 
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Security Requirements ie 


e What does security mean to your product? 
Threat Model 

e Who is likely to attack you, and why? SA 
e What is the operational environment? F ) = i 
Vulnerabilities WH, —— 
e Whatare the paths of attack on your system? —& Uf, 
e What are the likely objectives of an attacker? VIR "Ye 
Mitigation Strategies VIC ANZ 

e Rank probably & severity (to the degree you can) and prioritize risk (e.g., with a Risk Table) 
e How will you address each risk, including ones that appear after deployment? 

Validation Strategies 

e Does your mitigation really work? 
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OUT THESE LINES... 


UP THE DEBIAN -OPENSSL The "Debian-OpenSSL fiasco" was a 
FIASCO, A NUMBER OF OTHER major security problem discovered in 
MAJOR SECURITY HOLES the Debian Linux distribution and its 
HAVE BEEN UNCOVERED: version of the cryptographic library 
AFFECTED | called Openssl. With just a tiny 
CYSTEM SECURITY PROBLEM change in the software, which was 
: = intended to have no effect on 
ore security, its random number 
: — generator was completely crippled, as 
 hamgtes sate ar ae pul was the security of all cryptographic 
keys generated by the system. The 
GENTOO VULNERABLE To FLATTERY problem was created when a Debian 
developer removed one line of code 
VULNERABLE TO JEFF which was crucial, even though it 


OLPC OS | GoipgLum’s PowERBOOK 


could seem like it did nothing useful. 
GIVES RooT ACCESS IF USER 

=| “ROT Yer mat 
SAYS ELVISH WORD FOR FRIEND https://www.explainxkcd.com/wiki/index.php/ 
TURNS OUT DISTRO 15 424:_Security_Holes 


UBUNTU — | ACTUALLY JUST WINDOWS VISTA 
| WITH A FEW CUSTOM THEMES © 2020 Philip Koopman 1Q 
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